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Response to Amendment 

1 . This is in response to the amendment filed 03/12/2008. 

2. Applicant's arguments, with respect to the new issues of claims 1, 20, 24, 28 and 29, 
necessitated the new ground(s) of rejection presented in this Office action. 

Quotations of U.S. Code Title 35 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject mailer pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

4. The claims and only the claims form the metes and bounds of the invention. "Office 
personnel are to give claims their broadest reasonable interpretation in light of the supporting 
disclosure. In re Morris, 127 F.3d 1048, 1054-55, 44 USPQ2d 1023, 1027-28 (Fed. Cir 1997). 
Limitations appearing in the specification but not recited in the claim are not read into the claim. 
In re Prater, 415 F.2d 1393, 1404-05, 162 USPQ541, 550-551 (CCPA 1969)" (MPEP p2100-8, c 
2, I 45-48; p 2100-9, c 1, I 1-4). The Examiner has full latitude to interpret each claim in the 
broadest reasonable sense. The Examiner will reference prior art using terminology familiar to 
one of ordinary skill in the art. Such an approach is broad in concept and can be either explicit or 
implicit in meaning. 
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Claim Rejections - 35 USC § 103 

5. Claims 1, 5-7, 9, 10, 20, 23-25, and 27-29 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over U.S. Patent No. 6,421,571 ("Spriggs") in view of U.S. Patent No. 5,539,906 
("Abraham"). 
Regarding claim 1 

Spriggs teaches "an automation security system, comprising: an asset component that defines an 
industrial automation device " (see C 3 L 20-24 "asset management system for protecting and 
managing industrial plant assets"); "an access component that defines a security attribute 
associated with the industrial automation device" (see C 14 L 20-39 and C 27 L 64 to C 28 L 1- 
2 "settings security based on each user associates with different instrumentations of the industrial 
plant"); "and a security component that regulates access to the industrial automation device 
based upon the security attribute " (see C 28 L 2-4 "a security manager module 222 regulates 
access to the control and configuration of devices such as a portable system or an on-line system 
based upon security attribute of each user"). 

Spriggs does not specifically disclose the security attribute including a location attribute 
and a time attribute that grants access to the industrial automation device for a predetermined 
amount of time. 

However, Abraham teaches granting security access to users based on status and 
locations of the users (e.g. col. 3 in particularly lines 17-25). 

Spriggs and Abraham are analogous art because they are in the same field of endeavor of 
controlling assets and security of industrial processes. 
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Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security feature based on locations of Abraham with the teaching of 
Spriggs to provide an improve data security control for a data processing system. The claim 
would have been obvious is that a method of enhancing a particular class of devices (methods, or 
products) was made part of the ordinary capacities of one skilled in the art based upon the 
teaching of such improvement in other situations (KSR International Co. v. Teleflex Inc.). 

Furthermore, the concepts and advantages of having a time attribute for granting access 
to a device for a predetermined amount of time is well known and expected in the art. These well 
known features are included in U.S. Patent No. 5,05 1 ,837 to McJunkin where granting access to 
different equipments are limited within a predetermined amount of time (e.g. col. 2 lines 35-57). 
It would obvious to one of ordinary skill in the art to include the time limitation control to 
Spriggs because it would provide an additional method for controlling security access to a 
particular equipment or device. 
Regarding claim 20 

Spriggs teaches "an automation security system, comprising: a server that manages a network 
interface between networked industrial automation devices and other devices attempting access 
to the networked industrial automation devices" (see C 3 L 20-24 and L 31-57 "asset 
management system for protecting and managing industrial plant assets on a network"); "a 
security management module associated with the network interface that enforces an enterprise 
wide policy and that manages security threats directed to the networked industrial automation 
devices" (see C 14 L 20-39 and C 27 L 64 to C 28 L 1-4 "a security manager module 222 
enforces security settings for system 10. The security settings are based on each user to access 
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different instrumentations of the industrial plant such as a portable system or an on-line 

system"). 

Spriggs does not specifically disclose the enterprise wide policy including a location 
attribute and a time attribute that limits access to the networked industrial automation devices to 
certain time periods. 

However, Abraham teaches granting security access to users based on status and 
locations of the users (e.g. col. 3 in particularly lines 17-25). 

Spriggs and Abraham are analogous art because they are in the same field of endeavor of 
controlling assets and security of industrial processes. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security feature based on locations of Abraham with the teaching of 
Spriggs to provide an improve data security control for a data processing system. The claim 
would have been obvious is that a method of enhancing a particular class of devices (methods, or 
products) was made part of the ordinary capacities of one skilled in the art based upon the 
teaching of such improvement in other situations (KSR International Co. v. Teleflex Inc.). 

Furthermore, the concepts and advantages of having a time attribute for granting access 
to a device for a certain time period is well known and expected in the art. These well known 
features are included in U.S. Patent No. 5,051,837 to McJunkin where granting access to 
different equipments are limited within certain time periods (e.g. col. 2 lines 35-57). It would 
obvious to one of ordinary skill in the art to include the time limitation control to Spriggs 
because it would provide an additional method for controlling security access to a network of 
equipments or devices. 
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Regarding claim 24 

Spriggs teaches "an automation security methodology, comprising: electronically analyzing an 
industrial automation device" (see C 3 L 20-24 and L 31-57 "asset management system for 
protecting and managing industrial plant assets on a network"); "progrummuticaUy modeling the 
industrial automation device in accordance with network security considerations " (see C 6 L 55- 
61); "and automatically developing a security framework for an automation system based in part 
on the modeling of the industrial automation device and a network access type" (see C 14 L 20- 
39 and C 27 L 64 to C 28 L 1-4 "a security manager module 222 enforces security settings for 
system 10. The security settings are based on each user to access different instrumentations of 
the industrial plant such as a portable system or an on-line system"). 

Spriggs does not specifically disclose the network considerations include a location 
attribute and a time attribute that controls if and how long network access is granted to the 
industrial automation device. 

However, Abraham teaches granting security access to users based on status and 
locations of the users (e.g. col. 3 in particularly lines 17-25). 

Spriggs and Abraham are analogous art because they are in the same field of endeavor of 
controlling assets and security of industrial processes. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security feature based on locations of Abraham with the teaching of 
Spriggs to provide an improve data security control for a data processing system. The claim 
would have been obvious is that a method of enhancing a particular class of devices (methods, or 
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products) was made part of the ordinary capacities of one skilled in the art based upon the 
teaching of such improvement in other situations (KSR International Co. v. Teleflex Inc.). 

Furthermore, the concepts and advantages of having a time attribute for granting access 
to a device for a certain time period is well known and expected in the art. These well known 
features are included in U.S. Patent No. 5,05 1,837 to McJunkin where granting access to 
different equipments are limited within certain time periods (e.g. col. 2 lines 35-57). It would 
obvious to one of ordinary skill in the art to include the time limitation control to Spriggs 
because it would provide an additional method for controlling security access to a network of 
equipments or devices. 
Regarding claim 28 

Spriggs teaches "an automated security system for an automation control environment, 
comprising: means for defining one or more security attributes associated with at least one 
network request" (see C 3 L 20-24 and L 31-57 "asset management system for protecting and 
managing industrial plant assets on a network"); "means for processing the one or more security 
attributes" (see C 14 L 20-39 and C 27 L 64 to C 28 L 2 "settings security based on each user for 
accessing different instrumentations of the industrial plant"); "means for automatically 
determining which network devices require security resources" (see C 17L 11-18); "means for 
controlling access to at least one of a network device and an industrial automation component 
based in part on the one or more security attributes" (see C 28 L 2-4 "a security manager 
module 222 regulates access to the control and configuration of devices such as a portable 
system or an on-line system based upon security attribute of each user"). 
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Spriggs does not specifically disclose the security attributes include at least one of: a 
location attribute, a time attribute, a role attribute, and an access type attribute. 

However, Abraham teaches granting security access to users based on status and 
locations of the users (e.g. col. 3 in particularly lines 17-25). 

Spriggs and Abraham are analogous art because they are in the same field of endeavor of 
controlling assets and security of industrial processes. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security feature based on locations of Abraham with the teaching of 
Spriggs to provide an improve data security control for a data processing system. The claim 
would have been obvious is that a method of enhancing a particular class of devices (methods, or 
products) was made part of the ordinary capacities of one skilled in the art based upon the 
teaching of such improvement in other situations (KSR International Co. v. Teleflex Inc.). 
Regarding claim 29 

Spriggs teaches "a security schema for a factory automation system, comprising: a first data 
field that describes industrial automation devices" (see C 3 L 20-24 and L 31-57 "asset 
management system for protecting and managing industrial plant assets on a network"); "a 
second data field that describes security parameters for the industrial automation devices " (see 
C 14 L 20-39 and C 27 L 66 to C 28 L 1-2 "settings security based on each user for accessing 
different instrumentations of the industrial plant"); "and a schema that associates the first and 
second data fields, the schema employed to limit access to the industrial automation devices 
based upon the security parameters " (see C 28 L 2-4 "a security manager module 222 regulates 
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access to the control and configuration of devices such as a portable system or an on-line system 
based upon security attribute of each user"). 

Spriggs does not specifically disclose the security parameter including a location attribute 
and a time attribute that enables access to the industrial automation devices for a specified time. 

However, Abraham teaches granting security access to users based on status and 
locations of the users (e.g. col. 3 in particularly lines 17-25). 

Spriggs and Abraham are analogous art because they are in the same field of endeavor of 
controlling assets and security of industrial processes. 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time of the invention to incorporate the security feature based on locations of Abraham with the 
teaching of Spriggs to provide an improve data security control for a data processing system. The 
claim would have been obvious is that a method of enhancing a particular class of devices 
(methods, or products) was made part of the ordinary capacities of one skilled in the art based 
upon the teaching of such improvement in other situations (KSR International Co. v. Teleflex 
Inc.). 

Furthermore, the concepts and advantages of having a time attribute for granting access 
to a device for a specified time is well known and expected in the art. These well known features 
are included in U.S. Patent No. 5,05 1,837 to McJunkin where granting access to different 
equipments are limited within a specified time (e.g. col. 2 lines 35-57). It would obvious to one 
of ordinary skill in the art to include the time limitation control to Spriggs because it would 
provide an additional method for controlling security access to a network of equipments or 
devices. 



Application/Control Number: 1 0/66 1 ,239 Page 1 0 

Art Unit: 2121 

Regarding claim 5 

Spriggs teaches the asset component describes at least one of factory components and groupings, 
the factory components are at least one of sensors, actuators, controllers, I/O modules, 
communications modules, and human-machine interface (HMI) devices (see C 3 L 45-52 and C 
7 L 2-5). 

Regarding claim 6 

Spriggs teaches the groupings include factory components that are grouped into at least one of 
machines, machines grouped into lines, and lines grouped into facilities (see C 3 L 53-57). 
Regarding claim 7 

Spriggs teaches the groupings have associated severity attributes such as at least one of risk and 
security incident cost (see C 4 L 31-37). 
Regarding claim 8 

Spriggs and Abraham do not specifically teach an ISA S95 Model for Enterprise to Control 
System integration to integrate security aspects across or within respective groupings. "Official 
Notice" is taken that both the concept and advantages of providing an ISA S95 Model for 
Enterprise to Control System integration to integrate security aspects across or within respective 
groupings is well known and expected in the art. U.S. Patent Application Publication No. 
2003/0014500 to Schleiss et al. discloses a preferred flow of communication between various 
process control and information technology systems are typically found within an enterprise 
defined by an ISA S95 model international standard (see paragraphs 7 and 8). It would have been 
obvious to one of ordinary skill in the art to include the ISA S95 model for Enterprise to Control 
system to Spriggs because it would provide for interacting between production or process control 
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systems, enterprise resource planning systems and manufacturing execution systems to facilitate 
the integration of these systems. 
Regarding claim 9 

Spriggs teaches a set of generic IT components and specifies parameters to assemble and 
configure the IT components to achieve flexible access to the industrial automation device (see C 
6 L 55-61). 
Regarding claim 10 

Spriggs teaches the IT components include at least one of switches with virtual local area 
network (VLAN) capability, routers with access list capability, firewalls, virtual private network 
(VPN) termination devices, intrusion detection systems, AAA servers, configuration tools, and 
monitoring tools (see C 7 L 26-44). 
Regarding claim 23 

Spriggs teaches at least one of: an authentication with the one or more servers to establish a 
secure link; a secure link to authenticate and authorize access to a requestor of the networked 
industrial automation device; and establishment of a secure session with the requestor if access is 
authorized (see C 3 L 45-52 and C 7 L 2-5). 
Regarding claim 25 

Spriggs teaches analyzing one or more security attributes to determine whether access should be 
granted to the one or more industrial automation assets (see C 3 L 20-25). 
Regarding claim 27 

Spriggs teaches at least one of: determining whether to grant access to the one or more 
automation assets; granting access from the industrial automation device; and granting access 
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from the industrial automation device; and granting access from a network device associated 
with the industrial automation device (see C 27 L 65 to C 28 L 6). 

6. Claims 3, 4, 11-19, 21, 22, 26, and 30-33 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Spriggs in view Abraham and further in view of U.S. Patent Application 
Publication No. 2004/0034774 ("Le Saint"). 
Regarding claims 3, 4, 26 and 30 

Spriggs does not specifically discuss the security component is based on at least one of a formal 
threat analysis, a vulnerability analysis, a factory topology mapping and an attack tree analysis; 
the security component is based on at least one of automation and process control security, 
cryptography, and Authentication/ Authorization/ Accounting (AAA). 

However, Le Saint teaches the security component is based on at least one of a formal 
threat analysis, a vulnerability analysis, a factory topology mapping and an attack tree analysis 
(see paragraph 48); the security component is based on at least one of automation and process 
control security, cryptography, and Authentication/ Authorization/Accounting (AAA) (see 
paragraph 13). 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security attributes and security component of Le Saint with the 
system of Spriggs because it would provide for the purpose of enforcing control aspect stated in 
the attributes including security policies and delegated privilege state. 
Regarding claims 11-22 and 31-33 
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Spriggs does not specifically disclose security parameters and policies that are developed for 
physical and electronic security for various component types; at least one of security protection 
levels, identification entry capabilities, integrity algorithms, and privacy algorithms; the security 
component includes at least one of authentication software, virus detection, intrusion detection, 
authorization software, attack detection, protocol checker, and encryption software; at least one 
of acts as an intermediary between an access system and one or more automation components, 
and facilitates communications between the access system and the one or more automation 
components; the security attributes are specified as part of a network request to gain access to the 
one or more factory assets, the security attributes included in at least one of a group, set, subset, 
and class; the security component employs at least one authentication procedure and an 
authorization procedure to process the network request; one or more security protocols including 
at least one of Internet Protocol Security (IPSec), Kerberos, Diffie-Hellman exchange, Internet 
Key Exchange (IKE), digital certificate, pre-shared key, and encrypted password, to process the 
network request; at least one of an access key and a security switch to control network access to 
a device or network; the access key further comprises at least one of time, location, batch, 
process, program, calendar, GPS (Global Positioning Information) to specify local and wireless 
network locations, to control access to the device or network; the security management module 
at least one of schedules audits, establishes a security policy, applies the policy from a single or 
distributed console, and generates reports that identify potential weaknesses in security; the 
security management module provides an interface to at least one of add, delete and modify 
security rights of an individual, a group, or a device and distribute security information to 
various controllers and control devices; a response schema to provide status to a requesting 
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network device; the response schema including at least one of a status field, a time field, an 
access type field, an access location field, and a key field, an attachment field to indicate other 
security data follows the response schema. 

However, Le Saint teaches security parameters and policies that are developed for 
physical and electronic security for various component types (see paragraph 50); at least one of 
security protection levels, identification entry capabilities, integrity algorithms, and privacy 
algorithms (see paragraph 50); the security component includes at least one of authentication 
software, virus detection, intrusion detection, authorization software, attack detection, protocol 
checker, and encryption software (see paragraph 52); at least one of the industrial automation 
devices acts as an intermediary between an access system and one or more automation 
components, and facilitates communications between the access system and the one or more 
automation components (see paragraph 52); the security attributes are specified as part of a 
network request to gain access to the one or more factory assets, the security attributes included 
in at least one of a group, set, subset, and class; the security component employs at least one 
authentication procedure and an authorization procedure to process the network request (see 
paragraph 57); one or more security protocols including at least one of Internet Protocol Security 
(IPSec), Kerberos, Diffie-Hellman exchange, Internet Key Exchange (IKE), digital certificate, 
pre-shared key, and encrypted password, to process the network request (see paragraph 54); 
at least one of an access key and a security switch to control network access to a device or 
network; the access key further comprises at least one of time, location, batch, process, program, 
calendar, GPS (Global Positioning Information) to specify local and wireless network locations, 
to control access to the device or network (see paragraph 57); the security management module 
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at least one of schedules audits, establishes a security policy, applies the policy from a single or 
distributed console, and generates reports that identify potential weaknesses in security; the 
security management module provides an interface to at least one of add, delete and modify 
security rights of an individual, a group, or a device and distribute security information to 
various controllers and control devices (see paragraph 60); a response schema to provide status 
to a requesting network device; the response schema including at least one of a status field, a 
time field, an access type field, an access location field, and a key field, an attachment field to 
indicate other security data follows the response schema (see paragraph 63). 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security system of Le Saint with the system of Spriggs because it 
would provide for the purpose of enforcing control aspect stated in the attributes including 
security policies and delegated privilege state. 
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Response to Arguments 

In the remark, applicant's argues that cited reference fails to teach: 

I) "the security attribute including a location attribute and a time attribute that grants access 
to the asset component for a predetermined amount of time", as to claim 1 and similarly to 
claims 20, 24, and 29. 

In response to applicant's arguments, 

I) It should be noted that the concepts and advantages of having a time attribute for granting 
access to a device for a predetermined amount of time is well known and expected in the art. 
These well known features are included in U.S. Patent No. 5,051,837 to McJunkin where 
granting access to different equipments are limited within a predetermined amount of time (e.g. 
col. 2 lines 35-57). It would obvious to one of ordinary skill in the art to include the time 
limitation control to Spriggs because it would provide an additional method for controlling 
security access to a particular equipment or device. 
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Conclusion 

7. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to examiner Thomas Pham; whose telephone number is (571) 272- 
3689, Monday - Friday from 7:30 AM - 4:00 PM EST or contact Supervisor Mr. Albert Decady 
at (571) 272-3819. 

Any response to this office action should be mailed to: Commissioner for Patents, P.O. 

Box 1450, Alexandria VA 22313-1450. Responses may also be faxed to the official fax 

number (571) 273-8300. 

Thomas Pham 

/Thomas K Pham/ 

Primary Examiner, Art Unit 2121 

May 10, 2008 



